Digital "Pharmacusa" II: The “GandCrab” Phenomenon
In the 1st century BC, a small island of Pharmacusa (Farmakonisi) became a scene of one of the most infamous ransom extortions in history. According to Plutarch, a Roman commander Julius Caesar had to pay 50 Talents of Roman Currency to Sicilian pirates to be released. Through the next 2,000 years, rulers offered to fill rooms with gold or flotillas with silver as ransom. And even by this day, the entire cities and states can be held hostage, while governments pay millions to rescue the infrastructure. If one will need to describe the 2019 threat landscape with only a few words, "ransomware" will definitely be one of them.
The sharp rise of this menace is reshaping the entire cyber domain, filling the headlines with news about attacks against high-profile public and corporate networks. The underground community reacts by developing multidimensional structures of criminal alliances, shadow auctions, trusted groups, secretive relationships, and partnerships designed to maximize the revenue of the expanding ransomware market. These fragile unions bring together experts from all across the darkweb, who join the efforts to attack the most secure and lucrative targets.
Who are these Sicilian pirates and Pizarro conquistadors of the digital realm? Through this research series, AdvIntel offers a deep-dive into the cobweb (labyrinth) of organizational, political, and financial relationships between ransomware syndicates. By examining the stories of hacker groups and talented DarkWeb criminals, we will display how the ransomware ecosystem is becoming more complex, interconnected, and organized, while these groups themselves evolve from individual network intruders into perfectly balanced mechanisms of advanced digital crime.
The Paradigm Shifter: How GandCrab Ransomware Legacy Enabled Upcoming Ransomware Collectives to Flourish
The “GandCrab” Phenomenon
In late January 2018, the “GandCrab” group launched their Ransomware-as-a-Service (RaaS) program which revolutionized the digital extortion industry.
Before GandCrab, traditional ransomware teams, run by Russian-speaking hackers were acting privately, silently, and avoided underground forums. The secrecy originated from the traditional pursuit of anonymity across the cybercrime community and as a result of social and cultural repulsion associated with ransomware development. The Russian-speaking underground considered digital extortion unethical, anti-intellectual, and damaging for the cybercrime socio-cultural ecosystem.
GandCrab chose to change the status quo and became a paradigm-shifting phenomenon. They turned the ransomware business into a full-fledged media operation. Branding, marketing, outreach, and even Public Relations (PR) manifested in continuous communications with customers, affiliates, victims, and security researchers - everything was meticulously set to establish a new type of ransomware enterprise.
GandCrab developed its own charity campaigns and micro-loan partnerships across forums while community members were devoting poetry to the group and referenced it during forum discussions of relationships and romance. The cybercrime syndicate’s impact was so strong that even one review posted by their official darkweb accounts was enough to elevate or erase a certain malware product offered for sale. When new loaders or stealers were released, the first question which high-profile members of the underground asked was: “Are these compatible with “Crab?”, while numerous exclusive malware samples, botnets, domain accesses, network credentials, and other auction rounds were closed with the message “sold to GandCrab.”
As summarized by the Exploit forum moderator and, one of the leading blackhat ransomware reverse engineers “Quake3,” “Crab was unique, he was alive, and this was his competitive advantage. What remains after he quit is dull and boring.”
This assessment, however, is only partially correct. GandGrab established a new formation. One of the most successful cybercrime syndicates in recent history impacted hundreds of individuals across the cybercrime community. GandCrab abandoned the old ways of a ransomware circlet in which affiliates were handpicked were supposed to have a long-term experience in the business. Instead, they opened their doors to the newcomers. For a huge proportion of those who worked with GandCrab, this was the first real experience with ransomware. Their RaaS programs and affiliate relationships were built in a way to serve as a safe haven for those who just started to navigate across the murky waters of cybercrime. This way, the newcomers inherited GandCrab models and traditions as participation in RaaS was their major success, not only in ransomware but often in cybercrime overall. Eventually, GandCrab students started their own smaller ventures, bringing new features and ideas to the foundation from which they all started.
The migration of skill and talent from a defunct group to a new one is a norm across the Russian-speaking ransomware community. In their early stages, GandCrab itself was suspected by the members of the underground to be a continuation of the infamous Cerber Ransomware-as-a-Service (RaaS). It did not take long before their own patterns, style, phrasing, and, of course, methods were routinely used as a template for creating new ransomware activities. Since 2018, the Russian-speaking underground was overwhelmed by RaaS programs with the use of similar code or code-replicas, identical extensions, identical phrasing in ransomware notes or product descriptions.
The list of the most successful and talented affiliates who continued to invest their criminal energy into the ransomware business includes such prolific actors as “ford”, “FloodService”, “veneno”, “snowflake”, while entire ransomware collectives like “jsworm” and their affiliate “PenLat” who are behind the “JSworm” and “Nemty” ransomware originated within the GandCrab experience. Finally, the talents of the most devoted GandCrab supporters, including “Lalartu” may have directly contributed to the rise of a new extortion market leader - the REvil RaaS group.
Image 1: A screenshot from GandCrab RaaS panels with Lalartu statistics. Later, Lalartu migrated to the REvil RaaS
Fresh Blood: The “truniger” Team
Image 2: An infographic portrays both the initial and new attack vector of the truniger group
Among the affiliates for whom GandCrab became a form of a ransomware school modeling their inner traditions and tradecraft were members of a hacker collective which in 2019 became known as “TeamSnatch” and “truniger”.
This group Summer 2018, created by an individual interested in credit card fraud and ended up evolving into an expanded hacking network consisting of over ten threat actors. At the beginning of their cybercrime career, truniger (who then referred to themselves in singular) was fascinated with carding and e-skimming. According to them, they have started with a sum of money obtained from a legitimate job, which was invested in the financial fraud digital infrastructure. This criminal avenue, however, quickly exhausted truniger’s funds and lead them into financial hardship. In attempts to dodge these dire circumstances, the hacker began investigating Remote Desktop Protocol (RDP) vulnerabilities, specifically, brute-forcing RDPs to access different databases.
The RDP brute-forcing vector proved to be more successful and soon, truniger started to investigate different ways to monetize the accesses which they obtained. RaaS was a natural next step. Since summer 2018, the hacker inquired about ransomware, anti-virus vulnerabilities, and backdoors within legitimate software. According to them, since June 2018, they tested their skills working in a ransomware partnership with Rapid Ransomware. By August 2018, they encrypted more than 1,800 devices. The same month, truniger was noticed by the GandCrab which became a landmark in their evolution.
Image 3: A screenshot of access to an unspecified SQL database, obtained by truniger via a brute-forced compromised RDP. Compromised RDPs were the initial focus of this actor before they joined GandCrab
According to the actor, by participating in GandCrab’s affiliate program, they learned the tradecraft. After several months with GandCrab, truniger began building a ransomware collective similar to the one they saw established by their teacher. Through the next several months, the team massively expanded, hiring technical support for ransomware operations:
November 2018 hiring:
1. A pentester with a monthly salary of up to 4,000 USD capable of secretly navigating through corporate networks.
2. A full-time ransomware coder
December 2018 hiring:
3. A pentester proficient with Metasploit and PowerShell
4. A pentester focused on access privilege escalation for corporate networks (monthly salary starting from $5,000 USD)
January 2019 hiring:
5. A system administrator with experience in data backup and Kali Linux
Specialist in malware uploading
February 2019 hiring:
6. Part-time stuff to register domains and search for prospective team members
March 2019 hiring:
7. Metasploit specialist with skills in obtaining domain control (monthly salary starting from $10,000 USD)
June 2019 hiring:
8. Spammer for spreading the botnet via corporate emails on a massive level
9. A specialist on spearphishing to spread the botnet via targeted emails
July 2019 hiring:
10. Full-time Metasploit specialist
11. Local networks/pen-testing specialist
Image 4: A timeline of truinger evolution from an individual hacker to a coordinator of a large ransomware collective
Tactics, Techniques & Procedures (TTPs)
From GandCrab truniger collective learned to use a wide range of tactics, which are mostly centered around ransomware distribution. The group engages in RDP brute-forcing and uses privately-ordered RDP brute-forcing pentesting tools weaponized to compromise RDPs during the initial engagement with the victim’s system.
Image 5: A screenshot of an RDP brute-force “z668” pentesting software, used by truniger hacker group. Compromised RDPs serve to execute the locker in the victim’s environment
On June 20, 2019, truniger team shared that they are changing the main attack vector for network breach from RDP compromise to a botnet.
Typically the group investigates the network first and then obtains access privileges, specifically for Windows system administrators. All these operations are needed to eventually infect more machines with the ransomware. Within the system, the group uses mimikatz, searches for credentials of the domain admin, extracts financial data, and escalates access privileges.
In a secure conversation, the truniger group described their tactics in the following way:
"We have a loader, first we deliver the loader [via targeted email phishing] and then upload the bot, and then, by using the bot we upload all the meta and move further within the network. ... We are currently focusing on dedicated servers [and compromised RDPs] .... [we are] interested in macro and Dynamic Data Exchange (DDE) for our purposes."
Image 6: A botnet interface of the a2019 «Amadey» loader. The loader received positive reviews from the Exploit community for low detection rates. It is used by the truniger group to deliver the malware since at least June 2019.
On April 28, 2019, truniger offered files extracted from a German IT company CityComp. In their Exploit forum post, truniger referenced an unnamed group of hackers who committed an attack against the company using ransomware. When the victim refused to pay the ransom, the group decided to offer stolen files for free. The Exploit community reacted moderately to the publication of this data. High-profile Exploit users claimed that the extracted files have very limited value.
However, on May 1, 2019, three days after the truniger post, the international and German media announced the breach of CityComp. The company has been attacked by a hacker collective naming themselves the Snatch team. Allegedly, the hackers have compromised CityComp's infrastructure and obtained data from companies such as Oracle, SAP, BT, Porsche, Toshiba, Volkswagen, Airbus, and others.
truniger's post did not contain any attribution claims, and the hacker collective has never publicly associated itself with Team Snatch. In their post, as well as in continuous Exploit forum discussion, truniger continued to refer to them as an unspecified hacker group. Moreover, certain discrepancies existed between the truniger post and media coverage. The international media (except for German-language media) outlets claimed that the hackers demanded a $5,000 USD ransom, while truniger claimed that the demand was $500,000 USD.
During the initial secure communication with the AdvIntel investigator persona, truniger behaved as if they are not aware of any connection between their group and the breach. However, through the course of AdvIntel investigation truniger stated:
"yeh, I remember this case: their data was kept on a server, after a while, we just leaked them because they became redundant".
On May 23, 2019, the group uploaded on Exploit 13 GB of data stolen from an Italian insurance company. According to Exploit users, the data which was offered for free contains insurance checks, bank transfer information, and PII of Italian citizens.
On June 8, 2019, the group offered access to a Municipal Government of an Italian city. The post said:
“Selling RDP access into the internal network of the municipality of the city in Italy (on the coast).
Access to all infrastructure, domain administrator rights.
There are more than 200 machines, servers, and workstations in the network, more than 10 class-C subnetworks, subnetworks for VoIP
start - 1 BTC ($8,000 USD)
step - 0.2 BTC
blitz - 5 BTC”
The access was reportedly sold on June 12. The same day, truniger offered breached access into two retail shops for $500 USD
On July 8, 2019, truniger claimed that they have access to a domain, owned by a Canadian interior and furniture producer. The access is established via compromised RDP and allegedly gives access to at least 19 machines within the network environment. Previously, on July 7, 2019, the group offered RDP with local administrator access privileges for 170 devices hosted within an Italian clinic network.
Image 7: truniger group observing a compromised network of an Italian clinic
Most recently, On July 17, 2019, the actor group offered access to a KIA dealership in a "major English-speaking country" with 36 PCs in the network for $3,000 USD. AdvIntel investigation confirmed that the dealership is owned by a local retailer company based in Canada. However, the group only obtained access with limited user privileges and claims to be incapable of uploading their ransomware or performing other malicious operations with this access.
The truniger collective is an example of how quickly one actor can establish an efficient cybercrime group due to the right connections within the community. The underground social network became an enabler for growth. Starting from minor carding operations, this hacker evolved through GandCrab RaaS and decided to create their own version of a highly-efficient digital extortion program.
After recurring hiring activities, and attempts to invest significant funds to expand their team, the team was able to access high-profile networks and reached the headlines. Partial evidence suggests that the truniger team may be closely cooperating with the REvil group or even working to support their ransomware distribution, which further illustrates the role and impact of social infrastructure behind the contemporary digital extortion.